From c89b35c5fc99bdf1d2181f7f0c9fcb8a1abc27c8 Mon Sep 17 00:00:00 2001
From: John MacFarlane <jgm@berkeley.edu>
Date: Thu, 21 Mar 2019 11:28:37 -0700
Subject: [PATCH] html renderer: Don't preserve entities when rendering...

href, src, title, info string.

This gives rise to double-encoding errors, when the original
markdown is e.g. `&amp;colon;`, since the commonmark reader
already unescapes entities.

Thanks to Sebastiaan Knijnenburg for noticing this.
---
 lib/render/html.js  | 10 +++++-----
 test/regression.txt | 12 ++++++++++--
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/lib/render/html.js b/lib/render/html.js
index 204f4fef..30a374ee 100644
--- a/lib/render/html.js
+++ b/lib/render/html.js
@@ -62,10 +62,10 @@ function link(node, entering) {
   var attrs = this.attrs(node);
   if (entering) {
     if (!(this.options.safe && potentiallyUnsafe(node.destination))) {
-      attrs.push(['href', this.esc(node.destination, true)]);
+      attrs.push(['href', this.esc(node.destination, false)]);
     }
     if (node.title) {
-      attrs.push(['title', this.esc(node.title, true)]);
+      attrs.push(['title', this.esc(node.title, false)]);
     }
     this.tag('a', attrs);
   } else {
@@ -79,7 +79,7 @@ function image(node, entering) {
       if (this.options.safe && potentiallyUnsafe(node.destination)) {
         this.lit('<img src="" alt="');
       } else {
-        this.lit('<img src="' + this.esc(node.destination, true) +
+        this.lit('<img src="' + this.esc(node.destination, false) +
             '" alt="');
       }
     }
@@ -88,7 +88,7 @@ function image(node, entering) {
     this.disableTags -= 1;
     if (this.disableTags === 0) {
       if (node.title) {
-        this.lit('" title="' + this.esc(node.title, true));
+        this.lit('" title="' + this.esc(node.title, false));
       }
       this.lit('" />');
     }
@@ -143,7 +143,7 @@ function code_block(node) {
   var info_words = node.info ? node.info.split(/\s+/) : []
     , attrs = this.attrs(node);
   if (info_words.length > 0 && info_words[0].length > 0) {
-    attrs.push(['class', 'language-' + this.esc(info_words[0], true)]);
+    attrs.push(['class', 'language-' + this.esc(info_words[0], false)]);
   }
   this.cr();
   this.tag('pre');
diff --git a/test/regression.txt b/test/regression.txt
index a658c590..55513c85 100644
--- a/test/regression.txt
+++ b/test/regression.txt
@@ -95,8 +95,8 @@ Issue #116 - tabs before and after ATX closing heading
 <h1>foo</h1>
 ````````````````````````````````
 
-commonmark/CommonMark#493 - escaped space not allowed in link
-destination.
+commonmark/CommonMark#493 - escaped space not allowed in link destination.
+
 ```````````````````````````````` example
 [link](a\ b)
 .
@@ -116,3 +116,11 @@ City:
 <meta itemprop="name" content="Springfield">
 </span></p>
 ````````````````````````````````
+
+Double-encoding.
+
+```````````````````````````````` example
+[XSS](javascript&amp;colon;alert%28&#039;XSS&#039;%29)
+.
+<p><a href="javascript&amp;colon;alert('XSS')">XSS</a></p>
+````````````````````````````````